hacklu idascope plohmann

simpliFiRE.IDAscope An IDA Pro extension for easier (malware) reverse engineering Daniel Plohmann, Alexander Hanel ploh...
1 downloads 97 Views 1MB Size
DOWNLOAD .PDF
simpliFiRE.IDAscope An IDA Pro extension for easier (malware) reverse engineering

Daniel Plohmann, Alexander Hanel [email protected] [email protected]

© Cyber Defense Research Group, Fraunhofer FKIE

Some words about myself  Personal background  PhD student and researcher at University of Bonn & Fraunhofer FKIE  Research focus: Reverse Engineering  Work focus: malware analysis and botnet mitigation  Projects  Author of 2011 ENISA Botnet Study [1]  PyBox [2]  Userland-hooking framework (with Felix Leder)

 AntiRE [3]  An Executable Collection of Anti-Reversing Techniques

[1] http://www.enisa.europa.eu/act/res/botnets/botnets-measurement-detection-disinfection-and-defence [2] http://code.google.com/p/pyboxed [3] https://bitbucket.org/fkie_cd_dare/simplifire.antire © Cyber Defense Research Group, Fraunhofer FKIE 2

simpliFiRE.IDAscope

Current State © Cyber Defense Research Group, Fraunhofer FKIE 3

IDAscope … in a nutshell  An IDA Pro extension for easier (malware) reverse engineering.  Motivated by the current workflow of working with IDA Pro.  Repeat: „Identify relevant parts of the binary; tear apart; document findings.“

 Common tasks:

1 2 3

 Malware RE usually starts with the corner pieces: strings, API calls, signature hits, … 

API calls are a good indicator for function semantics.

 Reoccurring need for looking up things in MSDN. 

Switch windows time and time again…

 C&C communication schemes are of high interest! 

Find and understand cryptographic routines used.

 Idea:  Provide automation/integration of „helpers“ that assist with regularly performed tasks.

© Cyber Defense Research Group, Fraunhofer FKIE 4

IDAscope Overview  Functionality organized in tabs  Main window can be dragged around like every other IDA view.

© Cyber Defense Research Group, Fraunhofer FKIE 5

IDAscope: Features 1) Function Inspection  Tagging of functions  Based on API calls  APIs can be specified via config  Renaming with tags possible

 Example  DownloadToFile consists of API calls tagged with File and Network

© Cyber Defense Research Group, Fraunhofer FKIE 6

IDAscope: Features 1) Function Inspection  Coloring of basic blocks  Based on API semantics  Colors can be adjusted

 More an experiment :)

Sysinfo/Registry File Access Memory Access Crypto Network Execution Multi

© Cyber Defense Research Group, Fraunhofer FKIE 7

IDAscope: Features 1) Function Inspection  Code to function conversion  Function prologues get handled first  Then remaining undefined areas  Opens these code sections to further analysis

© Cyber Defense Research Group, Fraunhofer FKIE 8

IDAscope: Features 1) Function Inspection  Automatic renaming of wrapper functions  Credits go to Branko Spasojevic (author of Optimice) for providing the code!

© Cyber Defense Research Group, Fraunhofer FKIE 9

IDAscope: Features 2) WinAPI Browsing  Seamless integration of MSDN in IDA Pro  accessible via shortcut on highlighted elements  Now also with online lookup!  But not multi-threaded / no backgrounded lookups yet

© Cyber Defense Research Group, Fraunhofer FKIE 10

IDAscope: Features 3) Crypto Identification  Identification of cryptographic / compression routines  Based on ratio of arithmetic / logic instructions to all instructions in a basic block  Approach described in „Dispatcher: Enabling Active Botnet Infiltration using Automatic Protocol ReverseEngineering“ by Juan Caballero et al.

© Cyber Defense Research Group, Fraunhofer FKIE 11

IDAscope: Features 3) Crypto Identification  Identification of cryptographic / compression routines  Based on ratio of arithmetic / logic instructions to all instructions in a basic block  Approach described in „Dispatcher: Enabling Active Botnet Infiltration using Automatic Protocol ReverseEngineering“ by Juan Caballero et al.

Example: Citadel string decryption. 1) 3 AritlogInstructions / 9 Instructions = 33% rating 2) 9 instructions 3) 0 calls 4) Is a looped basic block => Matches above parameters © Cyber Defense Research Group, Fraunhofer FKIE 12

simpliFiRE.IDAscope

Future Plans © Cyber Defense Research Group, Fraunhofer FKIE 13

IDAscope: Future Plans 4) Threads / Function Relationship  Threads and function call chains are a good indicator of functionality  A „big picture“ would be very helpful.  My opinion: We need something better than this (WinGraph) or step by step navigation via xrefs.

 Same function scope as IDA graph (IDAPython API has limited graph support), not much better:..

© Cyber Defense Research Group, Fraunhofer FKIE 14

IDAscope: Future Plans 4) Threads / Function Relationship  Threads and function call chains are a good indicator of functionality  Same displayed as tree, generated with Alex‘ script [4] sub_41278F CreateThread Call 0x40bc39 sub_412757 StartAddress (lpStartAddr) sub_42EC57 sub_40B868 sub_429426 sub_40EFD1 strlen_1 memset_0 * Call StringFromGUID2 sub_412CCD * Call CreateMutexW SomeCrypto sub_42DCD7 DecryptBaseConfig * Call WaitForSingleObject memcpy_0 * Call CloseHandle CustomRc4 sub_4110E9 strlen_0 sub_412C33 MultiByteToWideChar_0 * Call PathRenameExtensionW * Call MultiByteToWideChar * Call PathRemoveFileSpecW PathCombineW_0 sub_4303C9 * Call PathCombineW * Call PathSkipRootW sub_42E8FC * Call GetFileAttributesW * Call RegOpenKeyExW * Call CreateDirectoryW sub_42E87F sub_42DC0C * Call RegQueryValueExW sub_42B9CE alloc * Call GetCurrentThread * Call HeapAlloc * Call OpenThreadToken * Call RegQueryValueExW * Call OpenProcessToken HeapFree_0 * Call LookupPrivilegeValueW * Call HeapFree * Call AdjustTokenPrivileges * Call RegCloseKey * Call GetLastError sub_42B5EA * Call CloseHandle sub_42AB6F * Call ConvertStringSecurityDescriptorToSecurityDescriptorW sub_42AABC * Call GetSecurityDescriptorSacl sub_42AC65 * Call SetNamedSecurityInfoW sub_41115A * Call LocalFree sub_41117C * Call GetFileAttributesW sub_411268

?

Use a TreeWidget for rendering?

[4] http://hooked-on-mnemonics.blogspot.com/2012/08/ida-thread-analysis-sript.html © Cyber Defense Research Group, Fraunhofer FKIE 15

IDAscope Conclusion  Start using it! :)  Repository at

 http://idascope.pnx.tf (points to: https://bitbucket.org/daniel_plohmann/simplifire.idascope)  I report about updates

 in my blog: http://blog.pnx.tf  on twitter @push_pnx  Alex has a blog, too: http://hooked-on-mnemonics.blogspot.com

 Send feedback or ideas for improvement!  [email protected]

© Cyber Defense Research Group, Fraunhofer FKIE 16